ISO 13849 – 1 Analysis — Part 8: Fault Exclusion

This entry is part of 9 in the series How to do a 13849 – 1 ana­lys­is

Fault Consideration & Fault Exclusion

ISO 13849 – 1, Chapter 7 [1, 7] dis­cusses the need for fault con­sid­er­a­tion and fault exclu­sion. Fault con­sid­er­a­tion is the pro­cess of examin­ing the com­pon­ents and sub-​systems used in the safety-​related part of the con­trol sys­tem (SRP/​CS) and mak­ing a list of all the faults that could occur in each one. This a def­in­itely non-​trivial exer­cise!

Thinking back to some of the earli­er art­icles in this series where I men­tioned the dif­fer­ent types of faults, you may recall that there are detect­able and undetect­able faults, and there are safe and dan­ger­ous faults, lead­ing us to four kinds of fault:

  • Safe undetect­able faults
  • Dangerous undetect­able faults
  • Safe detect­able faults
  • Dangerous undetect­able faults

For sys­tems where no dia­gnostics are used, Category B and 1, faults need to be elim­in­ated using inher­ently safe design tech­niques. Care needs to be taken when clas­si­fy­ing com­pon­ents as “well-​tried” versus using a fault exclu­sion, as com­pon­ents that might nor­mally be con­sidered “well-​tried” might not meet those require­ments in every applic­a­tion.

For sys­tems where dia­gnostics are part of the design, i.e., Category 2, 3, and 4, the fault lists are used to eval­u­ate the dia­gnost­ic cov­er­age (DC) of the test sys­tems. Depending on the archi­tec­ture, cer­tain levels of DC are required to meet the rel­ev­ant PL, see [1, Fig. 5]. The fault lists are start­ing point for the determ­in­a­tion of DC, and are an input into the hard­ware and soft­ware designs. All of the dan­ger­ous detect­able faults must be covered by the dia­gnostics, and the DC must be high enough to meet the PLr. for the safety func­tion.

The fault lists and fault exclu­sions are used in the Validation por­tion of this pro­cess as well. At the start of the Validation pro­cess flow chart [2, Fig. 1], you can see how the fault lists and the cri­ter­ia used for fault exclu­sion are used as inputs to the val­id­a­tion plan.

The diagram shows the first few stages in the ISO 13849-2 Validation process. See ISO 13849-2, Figure 1.
Start of ISO 13849 – 2 Fig. 1

Faults that can be excluded do not need to val­id­ated, sav­ing time and effort dur­ing the sys­tem veri­fic­a­tion and val­id­a­tion (V & V). How is this done?

Fault Consideration

The first step is to devel­op a list of poten­tial faults that could occur, based on the com­pon­ents and sub­sys­tems included in SRP/​CS. ISO 13849 – 2 [2] includes lists of typ­ic­al faults for vari­ous tech­no­lo­gies. For example, [2, Table A.4] is the fault list for mech­an­ic­al com­pon­ents.

Mechanical fault list from ISO 13849-2
Table A.4 — Faults and fault exclu­sions — Mechanical devices, com­pon­ents and ele­ments
(e.g. cam, fol­low­er, chain, clutch, brake, shaft, screw, pin, guide, bear­ing)

[2] con­tains tables sim­il­ar to Table A.4 for:

  • Pressure-​coil springs
  • Directional con­trol valves
  • Stop (shut-​off) valves/​non-​return (check) valves/​quick-​action vent­ing valves/​shuttle valves, etc.
  • Flow valves
  • Pressure valves
  • Pipework
  • Hose assem­blies
  • Connectors
  • Pressure trans­mit­ters and pres­sure medi­um trans­ducers
  • Compressed air treat­ment — Filters
  • Compressed-​air treat­ment — Oilers
  • Compressed air treat­ment — Silencers
  • Accumulators and pres­sure ves­sels
  • Sensors
  • Fluidic Information pro­cessing — Logical ele­ments
  • etc.

As you can see, there are many dif­fer­ent types of faults that need to be con­sidered. Keep in mind that I did not give you all of the dif­fer­ent fault lists – this post would be a mile long if I did that! The point is that you need to devel­op a fault list for your sys­tem, and then con­sider the impact of each fault on the oper­a­tion of the sys­tem. If you have com­pon­ents or sub­sys­tems that are not lis­ted in the tables, then you need to devel­op your own fault lists for those items. Using Failure Modes and Effects Analysis (FMEA) tech­niques are usu­ally the best approach for these com­pon­ents [23], [24].

When con­sid­er­ing the faults to be included in the list there are a few things that should be con­sidered [1, 7.2]:

  • if after the first fault occurs oth­er faults devel­op due to the first fault, then you can group those faults togeth­er as a single fault
  • two or more single faults with a com­mon cause can be con­sidered as a single fault
  • mul­tiple faults with dif­fer­ent causes but occur­ring sim­ul­tan­eously is con­sidered improb­able and does not need to be con­sidered

Examples

A voltage reg­u­lat­or fails in a sys­tem power sup­ply so that the 24 Vdc out­put rises to an unreg­u­lated 36 Vdc (the intern­al power sup­ply bus voltage), and after some time has passed, two sensors fail, then all three fail­ures can be grouped and con­sidered as a single fault.

If a light­ning strike occurs on the power line and the res­ult­ing surge voltage on the 400 V mains causes an inter­pos­ing con­tact­or and the motor drive it con­trols to fail to danger, then these fail­ures may be grouped and con­sidered as one.

A pneu­mat­ic lub­ric­at­or runs out of lub­ric­ant and is not refilled, depriving down­stream pneu­mat­ic com­pon­ents of lub­ric­a­tion. The spool on the sys­tem dump valve sticks open because it is not cycled often enough. Neither of these fail­ures has the same cause, so there is no need to con­sider them as occur­ring sim­ul­tan­eously because the prob­ab­il­ity of both hap­pen­ing con­cur­rently is extremely small. One cau­tion: These two faults MAY have a com­mon cause – poor main­ten­ance. Even if this is true and you decide to con­sider them to be two faults with a com­mon cause, they could then be grouped as a single fault.

Fault Exclusion

Once you have your well-​considered fault lists togeth­er, the next ques­tion is “Can any of the lis­ted faults be excluded?” This is a tricky ques­tion! There are a few points to con­sider:

  • Does the sys­tem archi­tec­ture allow for fault exclu­sion?
  • Is the fault tech­nic­ally improb­able, even if it is pos­sible?
  • Does exper­i­ence show that the fault is unlikely to occur?*
  • Are there tech­nic­al require­ments related to the applic­a­tion and the haz­ard that might sup­port fault exclu­sion?

BE CAREFUL with this one!

Whenever faults are excluded, a detailed jus­ti­fic­a­tion for the exclu­sion needs to be included in the sys­tem design doc­u­ment­a­tion. Simply decid­ing that the fault can be excluded is NOT ENOUGH! Consider the risk a per­son will be exposed to in the event the fault occurs. If the sever­ity is very high, i.e., severe per­man­ent injury or death, you may not want to exclude the fault even if you think you could. Careful con­sid­er­a­tion of the res­ult­ing injury scen­ario is needed.

Basing a fault exclu­sion on per­son­al exper­i­ence is sel­dom con­sidered adequate, which is why I added the aster­isk (*) above. Look for good stat­ist­ic­al data to sup­port any decision to use a fault exclu­sion.

There is much more inform­a­tion avail­able in IEC 61508 – 2 on the sub­ject of fault exclu­sion, and there is good inform­a­tion in some of the books men­tioned below [0.2], [0.3], and [0.4]. If you know of addi­tion­al resources you would like to share, please post the inform­a­tion in the com­ments!

Definitions

3.1.3 fault
state of an item char­ac­ter­ized by the inab­il­ity to per­form a required func­tion, exclud­ing the inab­il­ity dur­ing pre­vent­ive main­ten­ance or oth­er planned actions, or due to lack of extern­al resources
Note 1 to entry: A fault is often the res­ult of a fail­ure of the item itself, but may exist without pri­or fail­ure.
Note 2 to entry: In this part of ISO 13849, “fault” means ran­dom fault. [SOURCE: IEC 60050?191:1990, 05 – 01.]

Book List

Here are some books that I think you may find help­ful on this jour­ney:

[0]     B. Main, Risk Assessment: Basics and Benchmarks, 1st ed. Ann Arbor, MI USA: DSE, 2004.

[0.1]  D. Smith and K. Simpson, Safety crit­ic­al sys­tems hand­book. Amsterdam: Elsevier/​Butterworth-​Heinemann, 2011.

[0.2]  Electromagnetic Compatibility for Functional Safety, 1st ed. Stevenage, UK: The Institution of Engineering and Technology, 2008.

[0.3]  Overview of tech­niques and meas­ures related to EMC for Functional Safety, 1st ed. Stevenage, UK: Overview of tech­niques and meas­ures related to EMC for Functional Safety, 2013.

References

Note: This ref­er­ence list starts in Part 1 of the series, so “miss­ing” ref­er­ences may show in oth­er parts of the series. Included in the last post of the series is the com­plete ref­er­ence list.

[1]     Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design. 3rd Edition. ISO Standard 13849 – 1. 2015.

[2]     Safety of machinery – Safety-​related parts of con­trol sys­tems – Part 2: Validation. 2nd Edition. ISO Standard 13849 – 2. 2012.

[3]      Safety of machinery – General prin­ciples for design – Risk assess­ment and risk reduc­tion. ISO Standard 12100. 2010.

[4]     Safeguarding of Machinery. 2nd Edition. CSA Standard Z432. 2004.

[5]     Risk Assessment and Risk Reduction- A Guideline to Estimate, Evaluate and Reduce Risks Associated with Machine Tools. ANSI Technical Report B11.TR3. 2000.

[6]    Safety of machinery – Emergency stop func­tion – Principles for design. ISO Standard 13850. 2015.

[7]     Functional safety of electrical/​electronic/​programmable elec­tron­ic safety-​related sys­tems. 7 parts. IEC Standard 61508. Edition 2. 2010.

[8]     S. Jocelyn, J. Baudoin, Y. Chinniah, and P. Charpentier, “Feasibility study and uncer­tain­ties in the val­id­a­tion of an exist­ing safety-​related con­trol cir­cuit with the ISO 13849 – 1:2006 design stand­ard,” Reliab. Eng. Syst. Saf., vol. 121, pp. 104 – 112, Jan. 2014.

[9]    Guidance on the applic­a­tion of ISO 13849 – 1 and IEC 62061 in the design of safety-​related con­trol sys­tems for machinery. IEC Technical Report TR 62061 – 1. 2010.

[10]     Safety of machinery – Functional safety of safety-​related elec­tric­al, elec­tron­ic and pro­gram­mable elec­tron­ic con­trol sys­tems. IEC Standard 62061. 2005.

[11]    Guidance on the applic­a­tion of ISO 13849 – 1 and IEC 62061 in the design of safety-​related con­trol sys­tems for machinery. IEC Technical Report 62061 – 1. 2010.

[12]    D. S. G. Nix, Y. Chinniah, F. Dosio, M. Fessler, F. Eng, and F. Schrever, “Linking Risk and Reliability — Mapping the out­put of risk assess­ment tools to func­tion­al safety require­ments for safety related con­trol sys­tems,” 2015.

[13]    Safety of machinery. Safety related parts of con­trol sys­tems. General prin­ciples for design. CEN Standard EN 954 – 1. 1996.

[14]   Functional safety of electrical/​electronic/​programmable elec­tron­ic safety-​related sys­tems – Part 2: Requirements for electrical/​electronic/​programmable elec­tron­ic safety-​related sys­tems. IEC Standard 61508 – 2. 2010.

[15]     Reliability Prediction of Electronic Equipment. Military Handbook MIL-​HDBK-​217F. 1991.

[16]     “IFA – Practical aids: Software-​Assistent SISTEMA: Safety Integrity – Software Tool for the Evaluation of Machine Applications”, Dguv​.de, 2017. [Online]. Available: http://​www​.dguv​.de/​i​f​a​/​p​r​a​x​i​s​h​i​l​f​e​n​/​p​r​a​c​t​i​c​a​l​-​s​o​l​u​t​i​o​n​s​-​m​a​c​h​i​n​e​-​s​a​f​e​t​y​/​s​o​f​t​w​a​r​e​-​s​i​s​t​e​m​a​/​i​n​d​e​x​.​jsp. [Accessed: 30- Jan- 2017].

[17]      “fail­ure mode”, 192−03−17, International Electrotechnical Vocabulary. IEC International Electrotechnical Commission, Geneva, 2015.

[18]      M. Gentile and A. E. Summers, “Common Cause Failure: How Do You Manage Them?,” Process Saf. Prog., vol. 25, no. 4, pp. 331 – 338, 2006.

[19]     Out of Control — Why con­trol sys­tems go wrong and how to pre­vent fail­ure, 2nd ed. Richmond, Surrey, UK: HSE Health and Safety Executive, 2003.

[20]     Safeguarding of Machinery. 3rd Edition. CSA Standard Z432. 2016.

[21]     O. Reg. 851, INDUSTRIAL ESTABLISHMENTS. Ontario, Canada, 1990.

[22]     “Field-​programmable gate array”, En​.wiki​pe​dia​.org, 2017. [Online]. Available: https://​en​.wiki​pe​dia​.org/​w​i​k​i​/​F​i​e​l​d​-​p​r​o​g​r​a​m​m​a​b​l​e​_​g​a​t​e​_​a​r​ray. [Accessed: 16-​Jun-​2017].

[23]     Analysis tech­niques for sys­tem reli­ab­il­ity – Procedure for fail­ure mode and effects ana­lys­is (FMEA). 2nd Ed. IEC Standard 60812. 2006.

[24]     “Failure mode and effects ana­lys­is”, En​.wiki​pe​dia​.org, 2017. [Online]. Available: https://​en​.wiki​pe​dia​.org/​w​i​k​i​/​F​a​i​l​u​r​e​_​m​o​d​e​_​a​n​d​_​e​f​f​e​c​t​s​_​a​n​a​l​y​sis. [Accessed: 16-​Jun-​2017].

Interlocking Devices: The Good, The Bad and the Ugly

This entry is part 1 of 2 in the series Guards and Guarding

Note: A short­er ver­sion of this art­icle was pub­lished in the May-​2012 edi­tion of  Manufacturing Automation Magazine.

When design­ing safe­guard­ing sys­tems for machines, one of the basic build­ing blocks is the mov­able guard. Movable guards can be doors, pan­els, gates or oth­er phys­ic­al bar­ri­ers that can be opened without using tools. Every one of these guards needs to be inter­locked with the machine con­trol sys­tem so that the haz­ards covered by the guards will be effect­ively con­trolled when the guard is opened.

There are a num­ber of import­ant aspects to the design of mov­able guards. This art­icle will focus on the selec­tion of inter­lock­ing devices that are used with mov­able guards.

The Hierarchy of Controls

The Hierarchy of Controls as an inverted pyrimid.
Figure 1 – The Hierarchy of Controls

This art­icle assumes that a risk assess­ment has been done as part of the design pro­cess. If you haven’t done a risk assess­ment first, start there, and then come back to this point in the pro­cess. You can find more  inform­a­tion on risk assess­ment meth­ods in this post from 31-​Jan-​11. ISO 12100 [1] can also be used for guid­ance in this area.

The hier­archy of con­trols describes levels of con­trols that a machine design­er can use to con­trol the assessed risks. The hier­archy is defined in [1]. Designers are required to apply every level of the hier­archy in order, start­ing at the top. Each level is applied until the avail­able meas­ures are exhausted, or can­not be applied without des­troy­ing the pur­pose of the machine, allow­ing the design­er to move to the next lower level.

Engineering con­trols are sub­divided into a num­ber of dif­fer­ent sub-​groups. Only mov­able guards are required to have inter­locks. There are a num­ber of sim­il­ar types of guards that can be mis­taken for mov­able guards, so let’s take a minute to look at a few import­ant defin­i­tions.

Table 1 – Definitions

International [1] Canadian [2] USA [10]
3.27 guard phys­ic­al bar­ri­er, designed as part of the machine to provide pro­tec­tion.NOTEA guard may act either alone, in which case it is only effect­ive when “closed” (for a mov­able guard) or “securely held in place” (for a fixed guard), or  in con­junc­tion with an inter­lock­ing device with or without guard lock­ing, in which case pro­tec­tion is ensured whatever the pos­i­tion of the guard.NOTE 2Depending on its con­struc­tion, a guard may be described as, for example, cas­ing, shield, cov­er, screen, door, enclos­ing guard.NOTE 3 The terms for types of guards are defined in 3.27.1 to 3.27.6. See also 6.3.3.2 and ISO 14120 for types of guards and their require­ments. Guard — a part of machinery spe­cific­ally used to provide pro­tec­tion by means of a phys­ic­al bar­ri­er. Depending on its con­struc­tion, a guard may be called a cas­ing, screen, door, enclos­ing guard, etc. 3.22 guard: A bar­ri­er that pre­vents expos­ure to an iden­ti­fied haz­ard.E3.22 Sometimes referred to as bar­ri­er guard.”
3.27.4 inter­lock­ing guard guard asso­ci­ated with an inter­lock­ing device so that, togeth­er with the con­trol sys­tem of the machine, the fol­low­ing func­tions are per­formed:
  • the haz­ard­ous machine func­tions “covered” by the guard can­not oper­ate until the guard is closed,
  • if the guard is opened while haz­ard­ous machine func­tions are oper­at­ing, a stop com­mand is giv­en, and
  • when the guard is closed, the haz­ard­ous machine func­tions “covered” by the guard can oper­ate (the clos­ure of the guard does not by itself start the haz­ard­ous machine func­tions)

NOTE ISO 14119 gives detailed pro­vi­sions.

Interlocked bar­ri­er guard — a fixed or mov­able guard attached and inter­locked in such a man­ner that the machine tool will not cycle or will not con­tin­ue to cycle unless the guard itself or its hinged or mov­able sec­tion encloses the haz­ard­ous area. 3.32 inter­locked bar­ri­er guard: A bar­ri­er, or sec­tion of a bar­ri­er, inter­faced with the machine con­trol sys­tem in such a man­ner as to pre­vent inad­vert­ent access to the haz­ard.
3.27.2 mov­able guard
guard which can be opened without the use of tools
Movable guard — a guard gen­er­ally con­nec­ted by mech­an­ic­al means (e.g., hinges or slides) to the machine frame or an adja­cent fixed ele­ment and that can be opened without the use of tools. The open­ing and clos­ing of this type of guard may be powered. 3.37 mov­able bar­ri­er device: A safe­guard­ing device arranged to enclose the haz­ard area before machine motion can be ini­ti­ated.E3.37 There are two types of mov­able bar­ri­er devices:
  • Type A, which encloses the haz­ard area dur­ing the com­plete machine cycle;
  • Type B, which encloses the haz­ard area dur­ing the haz­ard­ous por­tion of the machine cycle.
3.28.1 inter­lock­ing device (interlock)mechanical, elec­tric­al or oth­er type of device, the pur­pose of which is to pre­vent the oper­a­tion of haz­ard­ous machine func­tions under spe­cified con­di­tions (gen­er­ally as long as a guard is not closed) Interlocking device (inter­lock) — a mech­an­ic­al, elec­tric­al, or oth­er type of device, the pur­pose of which is to pre­vent the oper­a­tion of machine ele­ments under spe­cified con­di­tions (usu­ally when the guard is not closed). No defin­i­tion
3.27.5 inter­lock­ing guard with guard lock­ing guard asso­ci­ated with an inter­lock­ing device and a guard lock­ing device so that, togeth­er with the con­trol sys­tem of the machine, the fol­low­ing func­tions are per­formed:
  • the haz­ard­ous machine func­tions “covered” by the guard can­not oper­ate until the guard is closed and locked,
  • the guard remains closed and locked until the risk due to the haz­ard­ous machine func­tions “covered” by the guard has dis­ap­peared, and
  • when the guard is closed and locked, the haz­ard­ous machine func­tions “covered” by the guard can oper­ate (the clos­ure and lock­ing of the guard do not by them­selves start the haz­ard­ous machine func­tions)

NOTE ISO 14119 gives detailed pro­vi­sions.

Guard lock­ing device — a device that is designed to hold the guard closed and locked until the haz­ard has ceased. No defin­i­tion

As you can see from the defin­i­tions, mov­able guards can be opened without the use of tools, and are gen­er­ally fixed to the machine along one edge. Movable guards are always asso­ci­ated with an inter­lock­ing device. Guard selec­tion is covered very well in ISO 14120 [11]. This stand­ard con­tains a flow­chart that is invalu­able for select­ing the appro­pri­ate style of guard for a giv­en applic­a­tion.

5% Discount on ISO and IEC Standards with code: CC2012

Though much emphas­is is placed on the cor­rect selec­tion of these inter­lock­ing devices, they rep­res­ent a very small por­tion of the hier­archy. It is their wide­spread use that makes them so import­ant when it comes to safety sys­tem design.

Electrical vs. Mechanical Interlocks

Mechanical Interlocking
Figure 2 – Mechanical Interlocking

Most mod­ern machines use elec­tric­al inter­locks because the machine is fit­ted with an elec­tric­al con­trol sys­tem, but it is entirely pos­sible to inter­lock the power to the prime movers using mech­an­ic­al means. This doesn’t affect the por­tion of the hier­archy involved, but it may affect the con­trol reli­ab­il­ity ana­lys­is that you need to do.

Mechanical Interlocks

Figure 2, from ISO 14119 [7, Fig. H.1, H.2 ], shows one example of a mech­an­ic­al inter­lock.  In this case, when cam 2 is rotated into the pos­i­tion shown in a), the guard can­not be opened. Once the haz­ard­ous con­di­tion behind the guard is effect­ively con­trolled, cam 2 rotates to the pos­i­tion in b), and the guard can be opened.

Arrangements that use the open guard to phys­ic­ally block oper­a­tion of the con­trols can also be used in this way. See Figure 3 [7, Fig. C.1, C.2].

Mechanical Interlocking using control devices
Figure 3 – Mechanical Interlocking using machine con­trol devices

Fluid Power Interlocks

Figure 4, from [7, Fig. K.2], shows an example of two fluid-​power valves used in com­ple­ment­ary mode on a single slid­ing gate.

Hydraulic interlock from ISO 14119
Figure 4 – Example of a flu­id power inter­lock

In this example, flu­id can flow from the pres­sure sup­ply (the circle with the dot in it at the bot­tom of the dia­gram) through the two valves to the prime-​mover, which could be a cyl­in­der, or a motor or some oth­er device when the guard is closed (pos­i­tion ‘a’). There could be an addi­tion­al con­trol valve fol­low­ing the inter­lock that would provide the nor­mal con­trol mode for the device.

When the guard is opened (pos­i­tion ‘b’), the two valve spools shift to the second pos­i­tion, the lower valve blocks the pres­sure sup­ply, and the upper valve vents the pres­sure in the cir­cuit, help­ing to pre­vent unex­pec­ted motion from trapped energy.

If the spring in the upper valve fails, the lower spool will be driv­en by the gate into a pos­i­tion that will still block the pres­sure sup­ply and vent the trapped energy in the cir­cuit.

5% Discount on ISO and IEC Standards with code: CC2012

Electrical Interlocks

By far the major­ity of inter­locks used on machinery are elec­tric­al. Electrical inter­locks offer ease of install­a­tion, flex­ib­il­ity in selec­tion of inter­lock­ing devices, and com­plex­ity from simple to extremely com­plex. The archi­tec­tur­al cat­egor­ies cov­er any tech­no­logy, wheth­er it is mech­an­ic­al, flu­id­ic, or elec­tric­al, so let’s have a look at archi­tec­tures first.

Architecture Categories

Comparing ANSI, CSA, and ISO Control Reliability Categories
Figure 5 – Control Reliability Categories

In Canada, CSA Z432 [2] and CSA Z434 [3] provide four cat­egor­ies of con­trol reli­ab­il­ity: simple, single chan­nel, single-​channel mon­itored and con­trol reli­able. In the U.S., the cat­egor­ies are very sim­il­ar, with some dif­fer­ences in the defin­i­tion for con­trol reli­able (see RIA R15.06, 1999). In the EU, there are five levels of con­trol reli­ab­il­ity, defined as Performance Levels (PL) giv­en in ISO 13849 – 1 [4]: PL a, b, c, d and e. Underpinning these levels are five archi­tec­tur­al cat­egor­ies: B, 1, 2, 3 and 4. Figure 5 shows how these archi­tec­tures line up.

To add to the con­fu­sion, IEC 62061 [5] is anoth­er inter­na­tion­al con­trol reli­ab­il­ity stand­ard that could be used. This stand­ard defines reli­ab­il­ity in terms of Safety Integrity Levels (SILs). These SILs do not line up exactly with the PLs in [4], but they are sim­il­ar. [5] is based on IEC 61508 [6], a well-​respected con­trol reli­ab­il­ity stand­ard used in the pro­cess indus­tries. [5] is not well suited to applic­a­tions involving hydraul­ic or pneu­mat­ic ele­ments.

The orange arrow in Figure 5 high­lights the fact that the defin­i­tion in the CSA stand­ards res­ults in a more reli­able sys­tem than the ANSI/​RIA defin­i­tion because the CSA defin­i­tion requires TWO (2) sep­ar­ate phys­ic­al switches on the guard to meet the require­ment, while the ANSI/​RIA defin­i­tion only requires redund­ant cir­cuits, but makes no require­ment for redund­ant devices. Note that the arrow rep­res­ent­ing the ANSI/​RIA Control reli­ab­il­ity cat­egory falls below the ISO Category 3 arrow due to this same detail in the defin­i­tion.

Note that Figure 5 does not address the ques­tion of PL’s or SIL’s and how they relate to each oth­er. That is a top­ic for anoth­er art­icle!

The North American archi­tec­tures deal primar­ily with elec­tric­al or fluid-​power con­trols, while the EU sys­tem can accom­mod­ate elec­tric­al, fluid-​power and mech­an­ic­al sys­tems.

From the single-​channel-​monitored or Category 2 level up, the sys­tems are required to have test­ing built-​in, enabling the detec­tion of fail­ures in the sys­tem. The level of fault tol­er­ance increases as the cat­egory increases.

Interlocking devices

Interlocking devices are the com­pon­ents that are used to cre­ate the inter­lock between the safe­guard­ing device and the machine’s power and con­trol sys­tems. Interlocking sys­tems can be purely mech­an­ic­al, purely elec­tric­al or a com­bin­a­tion of these.

Roller cam switch used as part of a complementary interlock
Photo 1 – Roller Cam Switch

Most machinery has an electrical/​electronic con­trol sys­tem, and these sys­tems are the most com­mon way that machine haz­ards are con­trolled. Switches and sensors con­nec­ted to these sys­tems are the most com­mon types of inter­lock­ing devices.

Interlocking devices can be some­thing as simple as a micro-​switch or a reed switch, or as com­plex as a non-​contact sensor with an elec­tro­mag­net­ic lock­ing device.

Images of inter­lock­ing devices used in this art­icle are rep­res­ent­at­ive of some of the types and man­u­fac­tur­ers avail­able, but should not be taken as an endorse­ment of any par­tic­u­lar make or type of device. There are lots of man­u­fac­tur­ers and unique mod­els that can fit any giv­en applic­a­tion, and most man­u­fac­tur­ers have sim­il­ar devices avail­able.

Photo 1 shows a safety-​rated, direct-​drive roller cam switch used as half of a com­ple­ment­ary switch arrange­ment on a gate inter­lock. The integ­rat­or failed to cov­er the switches to pre­vent inten­tion­al defeat in this applic­a­tion.

Micro-Switch used for interlocking
Photo 2 – Micro-​Switch used for inter­lock­ing

Photo 2 shows a ‘microswitch’ used for inter­lock­ing a machine cov­er pan­el that is nor­mally held in place with fasten­ers, and so is a ‘fixed guard’ as long as the fasten­ers require a tool to remove. Fixed guards do not require inter­locks under most cir­cum­stances. Some product fam­ily stand­ards do require inter­locks on fixed guards due to the nature of the haz­ards involved.

Microswitches are not safety-​rated and are not recom­men­ded for use in this applic­a­tion. They are eas­ily defeated and tend to fail to danger in my exper­i­ence.

Requirements for inter­lock­ing devices are pub­lished in a num­ber of stand­ards, but the key ones for indus­tri­al machinery are ISO 14119 [7], [2], and ANSI B11.0 [8]. These stand­ards define the elec­tric­al and mech­an­ic­al require­ments, and in some cases the test­ing require­ments, that devices inten­ded for safety applic­a­tions must meet before they can be clas­si­fied as safety com­pon­ents.
Download stand­ards

Typical plastic-bodied interlocking device
Photo 3 – Schmersal AZ15 plastic inter­lock switch

These devices are also integ­ral to the reli­ab­il­ity of the con­trol sys­tems into which they are integ­rated. Interlock devices, on their own, can­not meet a reli­ab­il­ity rat­ing above ISO 13849 – 1 Category 1, or CSA Z432-​04 Single Channel. To under­stand this, con­sider that the defin­i­tions for Category 2, 3 and 4 all require the abil­ity for the sys­tem to mon­it­or and detect fail­ures, and in Categories 3 & 4, to pre­vent the loss of the safety func­tion. Similar require­ments exist in CSA and ANSI’s “single-​channel-​monitored,” and “control-​reliable” cat­egor­ies. Unless the inter­lock device has a mon­it­or­ing sys­tem integ­rated into the device, these cat­egor­ies can­not be achieved.

Guard Locking

Interlocking devices are often used in con­junc­tion with  guard lock­ing. There are a few reas­ons why a design­er might want to lock a guard closed, but the most com­mon one is a lack of safety dis­tance. In some cases the guard may be locked closed to pro­tect the pro­cess rather than the oper­at­or, or for oth­er reas­ons.

Interlock Device with Guard Locking
Photo 4 – Interlocking Device with Guard Locking

Safety dis­tance is the dis­tance between the open­ing covered by the mov­able guard and the haz­ard. The min­im­um dis­tance is determ­ined using the safety dis­tance cal­cu­la­tions giv­en in [2] and ISO 13855 [9]. This cal­cu­la­tion uses a ‘hand-​speed con­stant’, called K, to rep­res­ent the the­or­et­ic­al speed that the aver­age per­son can achieve when extend­ing their hand straight for­ward when stand­ing in front of the open­ing. In North America, K is usu­ally 63 inches/​second, or 1600 mm/​s. Internationally and in the EU, there are two speeds, 2000 mm/​s, used for an approach per­pen­dic­u­lar to the plane of the guard, or 1600 mm/​second for approaches at 45 degrees or less [9]. 2000 mm/​s is used with mov­able guards, and is approx­im­ately equi­val­ent to 79 inches/​second. Using the International approach, if the value of Ds is great­er than 500 mm when cal­cu­lated using K = 2 000, then [9] per­mits the cal­cu­la­tion to be done using K = 1 600 instead.

Using the stop­ping time of the machinery and K, the min­im­um safety dis­tance can be cal­cu­lated.

Eq. 1              Ds = K x Ts

Using Equation 1 [2], assume you have a machine that takes 250 ms to stop when the inter­lock is opened. Inserting the val­ues into the equa­tion gives you a min­im­um safety dis­tance of:

Example 1             Ds = 63 in/​s x 0.250 s = 15.75 inches

Example 2             Ds = 2000 mm/​s x 0.250 s = 500 mm

As you can see, the International value of K gives a more con­ser­vat­ive value, since 500 mm is approx­im­ately 20 inches.

Note that I have not included the ‘Penetration Factor’, Dpf in this cal­cu­la­tion. This factor is used with pres­ence sens­ing safe­guard­ing devices like light cur­tains, fences, mats, two-​hand con­trols, etc. This factor is not applic­able to mov­able, inter­locked guards.

Also import­ant to con­sider is the amount the guard can be opened before activ­at­ing the inter­lock. This will depend on many factors, but for sim­pli­city, con­sider a hinged gate on an access point. If the guard uses two hinge-​pin style switches, you may be able to open the gate a few inches before the switches rotate enough to detect the open­ing of the guard. In order to determ­ine the open­ing size, you would slowly open the gate just to the point where the inter­lock is tripped, and then meas­ure the width of the open­ing. Using the tables found in [2], [3], [10], or ISO 13857 [12], you can then determ­ine how far the guard must be from the haz­ards behind it. If that dis­tance is great­er than what is avail­able, you could remove one hinge-​pin switch, and replace it with anoth­er type moun­ted on the post oppos­ite the hinges. This could be a keyed inter­lock like Photo 3, or a non-​contact device like Photo 5. This would reduce the open­ing width at the point of detec­tion, and thereby reduce the safety dis­tance behind the guard. But what if that is still not good enough?

If you have to install the guard closer to the haz­ard than the min­im­um safety dis­tance, lock­ing the guard closed and mon­it­or­ing the stand-​still of the machine allows you to ignore the safety dis­tance require­ment because the guard can­not be opened until the machinery is at a stand­still, or in a safe state.

Guard lock­ing devices can be mech­an­ic­al, elec­tro­mag­net­ic, or any oth­er type that pre­vents the guard from open­ing. The guard lock­ing device is only released when the machine has been made safe.

There are many types of safety-​rated stand-​still mon­it­or­ing devices avail­able now, and many variable-​frequency drives and servo drive sys­tems are avail­able with safety-​rated stand-​still mon­it­or­ing.

Environment, failure modes and fault exclusion

Every device has fail­ure modes. The cor­rect selec­tion of the device starts with under­stand­ing the phys­ic­al envir­on­ment to which the device will be exposed. This means under­stand­ing the tem­per­at­ure, humid­ity, dust/​abrasives expos­ure, chem­ic­al expos­ures, and mech­an­ic­al shock and vibra­tion expos­ures in the applic­a­tion. Selecting a del­ic­ate reed switch for use in a high-​vibration, high-​shock envir­on­ment is a recipe for fail­ure, just as select­ing a mech­an­ic­al switch in a dusty, damp, cor­ros­ive envir­on­ment will also lead to pre­ma­ture fail­ure.

Example of a non-contact interlocking device
Photo 5 – JOKAB EDEN Interlock System

Interlock device man­u­fac­tur­ers have a vari­ety of non-​contact inter­lock­ing devices avail­able today that use coded RF sig­nals or RF ID tech­no­lo­gies to ensure that the inter­lock can­not be defeated by simple meas­ures, like tap­ing a mag­net to a reed switch. The Jokab EDEN sys­tem is one example of a sys­tem like this that also exhib­its IP65 level res­ist­ance to mois­ture and dust. Note that sys­tems like this include a safety mon­it­or­ing device and the sys­tem as a whole can meet Control Reliable or Category 3 /​ 4 archi­tec­tur­al require­ments when a simple inter­lock switch could not.

The device stand­ards do provide some guid­ance in mak­ing these selec­tions, but it’s pretty gen­er­al.

Fault Exclusion

Fault exclu­sion is anoth­er key concept that needs to be under­stood. Fault exclu­sion holds that fail­ure modes that have an exceed­ingly low prob­ab­il­ity of occur­ring dur­ing the life­time of the product can be excluded from con­sid­er­a­tion. This can apply to elec­tric­al or mech­an­ic­al fail­ures. Here’s the catch: Fault exclu­sion is not per­mit­ted under any North American stand­ards at the moment. Designs based on the North American con­trol reli­ab­il­ity stand­ards can­not take advant­age of fault exclu­sions. Designs based on the International and EU stand­ards can use fault exclu­sion, but be aware that sig­ni­fic­ant doc­u­ment­a­tion sup­port­ing the exclu­sion of each fault is needed.

Defeat resistance

Diagram showing one method of preventing interlock defeat.
Figure 6 – Preventing Defeat

The North American stand­ards require that the devices chosen for safety-​related inter­locks be defeat-​resistant, mean­ing they can­not be eas­ily fooled with a cable-​tie, a scrap of met­al or a piece of tape.

Figure 6 [7, Fig. 10] shows a key-​operated switch, like the Schmersal AZ15, installed with a cov­er that is inten­ded to fur­ther guard against defeat. The key, some­times called a ‘tongue’, used with the switch pre­vents defeat using a flat piece of met­al or a knife blade. The cov­er pre­vents dir­ect access to the inter­lock­ing device itself. Use of tamper-​resistant hard­ware will fur­ther reduce the like­li­hood that someone can remove the key and insert it into the switch, bypassing the guard.

Inner-Tite tamper resistance fasteners
Photo 6 – Tamper-​resistant fasten­ers

5% Discount on ISO and IEC Standards with code: CC2012

The International and EU stand­ards do not require the devices to be inher­ently defeat res­ist­ant, which means that you can use “safety-​rated” lim­it switches with roller-​cam actu­at­ors, for example. However, as a design­er, you are required to con­sider all reas­on­ably fore­see­able fail­ure modes, and that includes inten­tion­al defeat. If the inter­lock­ing devices are eas­ily access­ible, then you must select defeat-​resistant devices and install them with tamper-​resistant hard­ware to cov­er these fail­ure modes.

Photo 6 shows one type of tamper res­ist­ant fasten­ers made by Inner-​Tite [13]. Photo 7 shows fasten­ers with uniquely keyed key ways made by Bryce Fastener [14], and Photo 8 shows more tra­di­tion­al tamper­proof fasten­ers from the Tamperproof Screw Company [15]. Using fasten­ers like these will res­ult in the highest level of secur­ity in a threaded fasten­er. There are many dif­fer­ent designs avail­able from a wide vari­ety of man­u­fac­tur­ers.

Bryce Key-Rex tamper-resistant fasteners
Photo 7 – Keyed Tamper-​Resistant Fasteners
Tamper proof screws made by the Tamperproof Screw Company
Photo 8 – Tamper proof screws

Almost any inter­lock­ing device can be bypassed by a know­ledge­able per­son using wire and the right tools. This type of defeat is not gen­er­ally con­sidered, as the degree of know­ledge required is great­er than that pos­sessed by “nor­mal” users.

How to select the right device

When select­ing an inter­lock­ing device, start by look­ing at the envir­on­ment in which the device will be loc­ated. Is it dry? Is it wet (i.e., with cut­ting flu­id, oil, water, etc.)? Is it abras­ive (dusty, sandy, chips, etc.)? Is it indoors or out­doors and sub­ject to wide tem­per­at­ure vari­ations?

Is there a product stand­ard that defines the type of inter­lock you are design­ing? An example of this is the inter­lock types in ANSI B151.1 [4] for plastic injec­tion mould­ing machines. There may be restric­tions on the type of devices that are suit­able based on the require­ments in the stand­ard.

Consider integ­ra­tion require­ments with the con­trols. Is the inter­lock purely mech­an­ic­al? Is it integ­rated with the elec­tric­al sys­tem? Do you require guard lock­ing cap­ab­il­ity? Do you require defeat res­ist­ance? What about device mon­it­or­ing or annun­ci­ation?

Once you can answer these ques­tions, you will have nar­rowed down your selec­tions con­sid­er­ably. The final ques­tion is: What brand is pre­ferred? Go to your pre­ferred supplier’s cata­logues and make a selec­tion that fits with the answers to the pre­vi­ous ques­tions.

The next stage is to integ­rate the device(s) into the con­trols, using whichever con­trol reli­ab­il­ity stand­ard you need to meet. That is the sub­ject for a series of art­icles!

References

5% Discount on ISO and IEC Standards with code: CC2012

[1] Safety of machinery – General prin­ciples for design – Risk assess­ment and risk reduc­tion, ISO Standard 12100, Edition 1, 2010

[2] Safeguarding of Machinery, CSA Standard Z432, 2004 (R2009)

Buy CSA Standards

[3] Industrial Robots and Robot Systems – General Safety Requirements, CSA Standard Z434, 2003 (R2008)

[4] Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design, ISO Standard 13849 – 1, 2006

[5] Safety of machinery – Functional safety of safety-​related elec­tric­al, elec­tron­ic and pro­gram­mable elec­tron­ic con­trol sys­tems, IEC Standard 62061, Edition 1, 2005

[6] Functional safety of electrical/​electronic/​programmable elec­tron­ic safety-​related sys­tems (Seven Parts), IEC Standard 61508-​X

[7] Safety of machinery – Interlocking devices asso­ci­ated with guards – Principles for design and selec­tion, ISO Standard 14119, 1998

[8] American National Standard for Machines, General Safety Requirements Common to ANSI B11 Machines, ANSI Standard B11, 2008
Download ANSI stand­ards

[9] Safety of machinery — Positioning of safe­guards with respect to the approach speeds of parts of the human body, ISO 13855, 2010

[10] American National Standard for Machine Tools – Performance Criteria for Safeguarding, ANSI B11.19, 2003

[11] Safety of machinery — Guards — General require­ments for the design and con­struc­tion of fixed and mov­able guards, ISO 14120. 2002

[12] Safety of machinery – Safety dis­tances to pre­vent haz­ard zones being reached by upper and lower limbs, ISO 13857. 2008.

[13] Inner-​Tite Corp. home page. (2012). Available: http://​www​.inner​-tite​.com/

[14] Bryce Fastener, Inc. home page. (2012). Available: http://​www​.bryce​fasten​er​.com/

[15] Tamperproof Screw Co., Inc., home page. (2013). Available: http://​www​.tamper​proof​.com

Interlock Architectures Pt. 6 – Comparing North American and International Systems

This entry is part 6 of 8 in the series Circuit Architectures Explored

I’ve now writ­ten six posts, includ­ing this one, on the top­ic of cir­cuit archi­tec­tures for the safety-​related parts of con­trol sys­tems. In this post, we’ll com­pare the International and North American sys­tems. This com­par­is­on is not inten­ded to draw con­clu­sions about which is “bet­ter”, but rather to com­pare and con­trast the two sys­tems so that design­ers can clearly see where the over­laps and the gaps in the sys­tems exist.

Since we’ve spent a lot of time talk­ing about ISO 13849 – 1 [1] in the pre­vi­ous five posts in this series, I think we should begin there by look­ing at Table 10 from the stand­ard.

Table 10 — Summary of require­ments for cat­egor­ies
Category Summary of require­ments System beha­viour Principle used
to achieve
safety
MTTFd
of each
chan­nel
DCavg CCF
B
(see
6.2.3)
SRP/​CS and/​or their pro­tect­ive equip­ment, as well as their com­pon­ents, shall be designed, con­struc­ted, selec­ted, assembled and com­bined in accord­ance with rel­ev­ant stand­ards so that they can with­stand the expec­ted influence.Basic safety prin­ciples shall be used. The occur­rence of a fault can lead to the loss of the safety func­tion. Mainly char­ac­ter­ized by selec­tion of com­pon­ents Low to medi­um None Not rel­ev­ant
1
(see
6.2.4)
Requirements of B shall apply. Well-​tried com­pon­ents and well-​tried safety prin­ciples shall be used. The occur­rence of a fault can lead to the loss of the safety func­tion but the prob­ab­il­ity of occur­rence is lower than for cat­egory B. Mainly char­ac­ter­ized by selec­tion of com­pon­ents High None Not rel­ev­ant
2
(see
6.2.5)
Requirements of B and the use of well-​tried safety prin­ciples shall apply. Safety func­tion shall be checked at suit­able inter­vals by the machine con­trol sys­tem. The occur­rence of a fault can lead to the loss of the safety func­tion between the checks. The loss of safety func­tion is detec­ted by the check. Mainly char­ac­ter­ized by struc­ture Low to high Low to medi­um See Annex F
3
(see
6.2.6)
Requirements of B and the use of well-​tried safety prin­ciples shall apply.Safety-related parts shall be designed, so that

—a single fault in any of these parts does not lead to the loss of the safety func­tion, and

—whenev­er reas­on­ably prac­tic­able, the single fault is detec­ted.

When a single fault occurs, the safety func­tion is always performed.Some, but not all, faults will be detec­ted.

Accumulation of undetec­ted faults can lead to the loss of the safety func­tion.

 Mainly
char­ac­ter­ized
by struc­ture
Low to
high
Low to
medi­um
 See
Annex F
 4
(see
6.2.7)
Requirements of B and the use of well-​tried safety prin­ciples shall apply. Safety-​related parts shall be designed, so that
—a single fault in any of these parts does not lead to a loss of the safety func­tion, and

—the single fault is detec­ted at or before the next demand upon the safety func­tion, but that if this detec­tion is not pos­sible, an accu­mu­la­tion of undetec­ted faults shall not lead to the loss of the safety func­tion.

 

When a single fault occurs the safety func­tion is always per­formed. Detection of accu­mu­lated faults reduces the prob­ab­il­ity of the loss of the safety func­tion (high DC). The faults will be detec­ted in time to pre­vent the loss of the safety func­tion.  Mainly char­ac­ter­ized by struc­ture  High  High includ­ing accu­mu­la­tion of faults  See Annex F
NOTE For full require­ments, see Clause 6.

Table 10 sum­mar­izes all the key require­ments for the five cat­egor­ies of archi­tec­ture, giv­ing the fun­da­ment­al mech­an­ism for achiev­ing safety, the required MTTFd, DC and CCF. Note that fault exclu­sion can be used in Categories 3 and 4. There is no sim­il­ar table avail­able for CSA Z432 [2] or RIA R 15.06 [3], so I have con­struc­ted one fol­low­ing a sim­il­ar format to Table 10.

Summary of require­ments for CSA Z432 /​ Z434 and RIA R15.06
CSA Z432-​04 /​ Z434-​03 RIA R15.06 1999
Category  Summary of require­ments  System beha­viour  Principle used
to achieve
safety
Summary of require­ments
All Safety con­trol sys­tems (elec­tric, hydraul­ic, pneu­mat­ic) shall meet one of the per­form­ance cri­ter­ia lis­ted in Clauses 4.5.2 to 4.5.5. Safety cir­cuits (elec­tric, hydraul­ic, pneu­mat­ic) shall meet one of the per­form­ance cri­ter­ia lis­ted in 4.5.1 through 4.5.4.2

2 These per­form­ance cri­ter­ia are not to be con­fused with the European cat­egor­ies B to 3 as described in ISO/​IEC DIS 13849 – 1, Safety of machinery – Safety-​related parts of con­trol sys­tems – Part 1: General prin­ciples for design (in cor­rel­a­tion with EN 954 – 1.) They are dif­fer­ent. The com­mit­tee believes that the cri­ter­ia in 4.5.1 – 4.5.4 exceed the cri­ter­ia of B – 3 respect­ively, and fur­ther believe the reverse is not true.

SIMPLE Simple safety con­trol sys­temsshall be designed and con­struc­ted using accep­ted single chan­nel circuitry.Such sys­tems may be pro­gram­mable.

Note: This type of sys­tem should be used for sig­nalling and annun­ci­ation pur­poses only.

The occur­rence of a fault can lead to the loss of the safety func­tion. Mainly char­ac­ter­ized by com­pon­ent selec­tion. Simple safety cir­cuits shall be designed and con­struc­ted using accep­ted single chan­nel
cir­cuitry, and may be pro­gram­mable.
SINGLE
CHANNEL
Single chan­nel safety con­trol sys­tems shalla) be hard­ware based or com­ply with Clause 6.5;

b) include com­pon­ents that should be safety rated; and

c) be used in accord­ance with man­u­fac­tur­ers’ recom­mend­a­tions and proven cir­cuit designs (e.g., a single chan­nel elec­tromech­an­ic­al pos­it­ive break device that sig­nals a stop in a de-​energized state).

Note: In this type of sys­tem a single com­pon­ent fail­ure can lead to the loss of the safety func­tion.

The occur­rence of a fault can lead to the loss of the safety func­tion. Mainly char­ac­ter­ized by com­pon­ent selec­tion. Single chan­nel safety cir­cuits shall be hard­ware based or com­ply with 6.4, include com­pon­ents
which should be safety rated, be used in com­pli­ance with man­u­fac­tur­ers’ recom­mend­a­tions
and proven cir­cuit designs (e.g. a single chan­nel electro-​mechanical pos­it­ive break device which sig­nals a stop in a de-​energized state.)
SINGLE CHANNEL
WITH
MONITORING
Single chan­nel safety con­trol sys­tems with mon­it­or­ing shall include the require­ments for single chan­nel,
be safety rated, and be checked (prefer­ably auto­mat­ic­ally) at suit­able inter­vals in accord­ance with the following:a) The check of the safety function(s) shall be per­formed

i) at machine start-​up; and

ii) peri­od­ic­ally dur­ing oper­a­tion (prefer­ably at each change in state).

b) The check shall either

i) allow oper­a­tion if no faults have been detec­ted; or

ii) gen­er­ate a stop if a fault is detec­ted. A warn­ing shall be provided if a haz­ard remains after ces­sa­tion of motion.

c) The check itself shall not cause a haz­ard­ous situ­ation.

d) Following detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

Note: In this type of cir­cuit a single com­pon­ent fail­ure can also lead to the loss of the safety func­tion.

The occur­rence of a fault can lead to the loss of the safety func­tion. Characterized by both com­pon­ent selec­tion and struc­ture. Single chan­nel with mon­it­or­ing safety cir­cuits shall include the require­ments for single chan­nel,
shall be safety rated, and shall be checked (prefer­ably auto­mat­ic­ally) at suit­able intervals.a) The check of the safety function(s) shall be per­formed

1) at machine start-​up, and

2) peri­od­ic­ally dur­ing oper­a­tion;

b) The check shall either:

1) allow oper­a­tion if no faults have been detec­ted, or

2) gen­er­ate a stop sig­nal if a fault is detec­ted.
A warn­ing shall be provided if a haz­ard remains after ces­sa­tion of motion;

c) The check itself shall not cause a haz­ard­ous situ­ation;

d) Following detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

CONTROL RELIABLE Control reli­able safety con­trol sys­tems shall be dual chan­nel with mon­it­or­ing and shall be designed,
con­struc­ted, and applied such that any single com­pon­ent fail­ure, includ­ing mon­it­or­ing, shall not pre­vent
the stop­ping action of the robot.
These safety con­trol sys­tems shall be hard­ware based or in accord­ance with Clause 6.5. The sys­tems shall include auto­mat­ic mon­it­or­ing at the sys­tem level con­form­ing to the following:a) The mon­it­or­ing shall gen­er­ate a stop if a fault is detec­ted. A warn­ing shall be provided if a haz­ard remains after ces­sa­tion of motion.

b) Following detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

c) Common mode fail­ures shall be taken into account when the prob­ab­il­ity of such a fail­ure occur­ring is
sig­ni­fic­ant.

d) The single fault should be detec­ted at time of fail­ure. If not prac­tic­able, the fail­ure shall be detec­ted
at the next demand upon the safety func­tion.

e) These safety con­trol sys­tems shall be inde­pend­ent of the nor­mal pro­gram con­trol (func­tion) and shall be designed to be not eas­ily defeated or not eas­ily bypassed without detec­tion.

When a single fault occurs, the safety func­tion is always performed.Some, but not all, faults will be detec­ted.

Accumulation of undetec­ted faults can lead to the loss of the safety func­tion.

Characterized primar­ily by struc­ture. Control reli­able safety cir­cuitry shall be designed, con­struc­ted and applied such that any single com­pon­ent fail­ure shall not pre­vent the stop­ping action of the robot.These cir­cuits shall be hard­ware based or com­ply with 6.4, and include auto­mat­ic mon­it­or­ing at the sys­tem level.

a) The mon­it­or­ing shall gen­er­ate a stop sig­nal if a fault is detec­ted. A warn­ing shall be provided if a haz­ard remains after ces­sa­tion of motion;

b) Following detec­tion of a fault, a safe state shall be main­tained until the fault is cleared.

c) Common mode fail­ures shall be taken into account when the prob­ab­il­ity of such a fail­ure occur­ring is sig­ni­fic­ant.

d) The single fault should be detec­ted at time of fail­ure. If not prac­tic­able, the fail­ure shall be detec­ted at the next demand upon the safety func­tion.

CSA Z434 vs. RIA R15.06

Before we dig into the com­par­is­on between North America and the International stand­ards, we need to look at the dif­fer­ences between CSA and ANSI/​RIA. There are some subtle dif­fer­ences here that can trip you up and cost sig­ni­fic­ant money to cor­rect after the fact. The fol­low­ing state­ments are based on my per­son­al exper­i­ence and on dis­cus­sions that I have had with people on both the CSA and RIA tech­nic­al com­mit­tees tasked with writ­ing these stand­ards. One more note – ANSI RIA R15.06 has been revised and ALL OF SECTION 4 has been replaced with ANSI/​RIA/​ISO 10218 – 1 [7]. This is very sig­ni­fic­ant, but we need to deal with this old dis­cus­sion first.

Systems vs. Circuits

The CSA stand­ard uses the term “con­trol system(s)” through­out the defin­i­tions of the cat­egor­ies, while the ANSI/​RIA stand­ard uses the term “circuit(s)”. This is really the crux of the dis­cus­sion between these two stand­ards. While the dif­fer­ence between the terms may seem insig­ni­fic­ant at first, you need to under­stand the back­ground to get the dif­fer­ence.

The CSA term requires two sep­ar­ate sens­ing devices on the gate or oth­er guard, just as the Category 3 and 4 defin­i­tions do, and for the same reas­on. The CSA com­mit­tee felt that it was import­ant to be able to detect all single faults, includ­ing mech­an­ic­al ones. Also, the use of two inter­lock­ing devices on the guard makes it more dif­fi­cult to bypass the inter­lock.

The RIA term requires redund­ant elec­tric­al con­nec­tions to the inter­lock­ing device, but impli­citly allows for a single inter­lock­ing device because it only expli­citly refers to “cir­cuits”.

The explan­a­tion I’ve been giv­en for the dis­crep­ancy is rooted in the early days of indus­tri­al robot­ics. Many early robot cells had NO inter­locks on the guard­ing because the haz­ards related to the robot motion was not well under­stood. There were a num­ber of incid­ents res­ult­ing in fatal­it­ies that drove robot users to begin to seek bet­ter ways to pro­tect work­ers. The RIA R15.06 com­mit­tee decided that inter­locks were needed, but there was a recog­ni­tion that many users would balk at installing expens­ive inter­lock devices, so they com­prom­ised and allowed that ANY kind of inter­lock­ing device was bet­ter than none. This was amended in the 1999 edi­tion to require that com­pon­ents be “safety rated”, effect­ively elim­in­at­ing the use of con­ven­tion­al prox­im­ity switches and non-​safety-​rated lim­it switches.

The recent revi­sion of ANSI/​RIA R15.06 to include ANSI/​ISO 10218 – 1 as a replace­ment for Section 4 is sig­ni­fic­ant for a couple of reas­ons: 1) It now means that the robot itself need only meet the ISO stand­ard; instead of the ISO and the RIA stand­ards; and 2) It brings in ISO 13849 – 1 defin­i­tions of reli­ab­il­ity cat­egor­ies. This means that the US has now offi­cially dropped the “SIMPLE, SINGLE-​CHANNEL,” etc. defin­i­tions and now uses “Category B, 1, etc.” However, they have only adop­ted the Edition 1 ver­sion of the stand­ard, so none of the PL, MTTFd, etc. cal­cu­la­tions have been adop­ted. This means that the RIA stand­ard is now har­mon­ized to the 1995 edi­tion of EN 954 – 1. These updates to the 2006 edi­tion may come in sub­sequent edi­tions of R15.06.

CSA has chosen to reaf­firm the 2003 edi­tion of CSA Z434, so the Canadian National Standard con­tin­ues to refer to the old defin­i­tions.

North America vs International Standards

In the descrip­tion of single-​channel sys­tems /​ cir­cuits under the North American stand­ards you will notice that par­tic­u­lar atten­tion is paid to includ­ing descrip­tions of the use of “proven designs” and “positive-​break devices”. What the TC’s were refer­ring to are the same “well-​tried safety prin­ciples” and “well-​tried com­pon­ents” as referred to in the International stand­ards, only with less descrip­tion of what those might be. The only major addi­tion to the defin­i­tions is the recom­mend­a­tion to use “safety-​rated devices”, which is not included in the International stand­ard. (N.B. The use of the word “should” in the defin­i­tions should be under­stood as a strong recom­mend­a­tion, but not neces­sar­ily a man­dat­ory require­ment.) Under EN 954 – 1 [4] and EN 1088 [5] (in the ref­er­enced edi­tions, in any case) it was pos­sible to use stand­ard lim­it switches arranged in a redund­ant man­ner and activ­ated using com­bined pos­it­ive and non-​positive-​mode activ­a­tion. In later edi­tions this changed, and there is now a pref­er­ence for devices inten­ded for use in safety applic­a­tions.

Also worth not­ing is that there is NO allow­ance for fault exclu­sion under the CSA stand­ard or the 1999 edi­tion of the ANSI stand­ard.

As far as the RIA committee’s asser­tion that their defin­i­tions are not equi­val­ent to the International stand­ard, and may be super­i­or, I think that there are too may miss­ing qual­it­ies in the ANSI stand­ard for that to stand. In any case, this is now moot, since ANSI has adop­ted EN ISO 13849 – 1:2006 as a ref­er­ence to EN ISO 10218 – 1 [6], repla­cing Section 4 of ANSI/​RIA R15.06 – 1999.

References

[1] “Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design”, ISO 13849 – 1, Edition 2, International Organization for Standardization (ISO), Geneva, 2006.

[2] “Safeguarding of machinery”, CSA Z432, Canadian Standards Association (CSA), Toronto, 2004.

[3] “American National Standard for Industrial Robots and Robot Systems — Safety Requirements”, ANSI/​RIA R15.06, American National Standards Institute, Inc. (ANSI), Ann Arbor, 1999.

[4] “Safety of machinery — Safety related parts of con­trol sys­tems — Part 1. General prin­ciples for design”, EN 954 – 1, European Committee for Standardization (CEN), Geneva, 1996.

[5] “Safety of machinery — Interlocking devices asso­ci­ated with guards — Principles for design and selec­tion”, EN 1088, CEN, Geneva, 1995.

[6] “Robots and robot­ic devices — Safety require­ments for indus­tri­al robots — Part 1: Robots”, European Committee for Standardization (CEN), Geneva, 2011.

[7] “Robots for Industrial Environment – Safety Requirements – Part 1 – Robot”, ANSI/​RIA/​ISO 10218 – 1, American National Standards Institute, Inc. (ANSI), Ann Arbor, 2007.

Digiprove sealCopyright secured by Digiprove © 2011 – 2012
Acknowledgements: See ref­er­ences lis­ted at end of art­icle.
Some Rights Reserved